CODEWITHSUNDEEP
azure-active-directoryasp.net-core-webapiazure-ad-b2cazure-ad-graph-api
Vivere
Vivere

Reputation: 2280

ASP Net Core API downstream call to Graph API W/ AADB2C

I have an ASP Net Core API where I want to call Graph API. I configure the Authentication as such:

services.AddMicrosoftIdentityWebApiAuthentication(Configuration, configSectionName: Constants.AzureAdB2C)
  .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind(Constants.AzureAdB2C, options))
  .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
  .AddInMemoryTokenCaches();

My appsettings.json file has the following properties:

{
  "AzureAdB2C": {
    "Instance": "https://tenantName.b2clogin.com/",
    "Domain": "tenantName.onmicrosoft.com",
    "TenantId": "tenantId",
    "ClientId": "appId",
    "ClientSecret": "appSecret",
    "SignUpSignInPolicyId": "B2C_1_SignUpSignIn",
    "ResetPasswordPolicyId": "B2C_1_PasswordReset"
  },
  "GraphAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "User.Read Directory.ReadWrite.All"
  }
}

My b2c app is granted permission to these Graph scopes.

I created an endpoint:

[HttpGet]
[Route("me")]
public Task<User> Me()
{
    return this.graphServiceClient.Me.Request().GetAsync();
}

This is where I get this error:

ErrorCode: unsupported_grant_type
Microsoft.Identity.Client.MsalServiceException: AADB2C90086: The supplied grant_type [urn:ietf:params:oauth:grant-type:jwt-bearer] is not supported.

Why can't my API call GraphAPI? All samples that I saw used services.AddMicrosoftIdentityWebAppAuthentication.... Could that be the reason?

Upvotes: 1

Views: 1440

Answers (1)

juunas
juunas

Reputation: 58823

On-behalf-of flow in B2C is not supported: https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens.

Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.

You need to acquire the token using application permissions as your application with client credentials flow. There is some documentation on that: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga#register-management-application. The documentation creates a separate app registration for doing that though I think you can just add the app permissions to your existing registration.

Upvotes: 2

Related Questions